In this section we will describe system and network security tools within the Common Criteria framework of functional and assurance requirements. These tools are especially useful for vulnerability assessment as defined in the CC assurance requirements. The tools discussed below can assess risks and vulnerabilities of IT infrastructure which support business applications and processes. Infrastructure includes networks, firewalls, operating systems and application servers.
Network Port Scanners
A network port scanner is a tool that quickly, easily, and automatically scans through many network devices, determines which TCP or UDP ports are active and logs the results. A security professional can use a network port scanner to assess current controls as well as potential vulnerabilities. Using the scanner externally by taking a hacker's viewpoint can analyze firewall configurations and filters. Vulnerable ports and services can be identified. Using the network port scanner inside your security perimeter allows you to analyze which unnecessary services are running on your network devices which can then be disabled or removed. Using the network port scanner both internally and externally is recommended.
Nmap is an open-source, free, and incredibly useful scanning tool available from Insecure.org. It is designed to run on most UNIX operating systems and even ships with some Linux distributions. There is a Windows version as well although it is "still under active development and is not yet as stable or fast as the traditional UNIX version." We used Nmap version 2.54BETA which ships with Redhat 7.3 and the GUI front end NmapFE.
Nmap can be used to help evaluate a system according to the CC requirements for protection of security functions, assure proper configuration management, and assess the vulnerabilities of a system. Nmap has very many advanced scanning and configuration options. Once you understand the basics of use from the GUI interface it is relatively simple to use Nmap from the command line or in a script to further automate scanning. The GUI even shows the command line syntax that will be used as you check and uncheck options. Nmap has other features besides port scanning and will be discussed later in the OS Detection section.
Below is an example of a basic scan that illustrates the ease of use and utility of Nmap.
Figure 1 NmapFE example.
An information security policy should specify which network services are permitted and which denied. The Nmap scanner can be used to test networks for compliance with an organization's policies. Using Nmap to scan from various points (e.g. inside your perimeter, outside your perimeter, on specific hosts, etc.) will indicate services that are visible to various users and devices.
Additionally, Nmap can be used for the CC functional requirement of security audit. To confirm that logging of system activity is enabled, Nmap test scans should be found in logs. Such logs of activity on firewalls, intrusion detection systems, 'honeypots' and host systems are critical to the security audit function.
Nmap can be used to evaluate and test identification and authentication and trusted path/channel, in the cases where these functions are based on IP addresses. By using Nmap's spoofing features to scan a system you can assess authentication and trusted path/channels by monitoring how the system responds to traffic with spoofed addresses. Nmap can give some insight regarding resource utilization by pointing out unnecessary ports that are open on devices. Unnecessary open ports generally use extra resources on a host and unnecessary services can use network resources as well.
Operating System and Application Detection
The practice of remote OS detection or application detection is a widely used hacking technique. If a hacker can learn which OS or application is running on a host it points him in the right direction to look for vulnerabilities. Often, there are vulnerabilities that allow a hacker to subvert the expected security functionality of a system and can cause loss of data confidentiality, integrity, or availability.
One of the easiest methods of OS detection is using telnet to connect to the host and reading the banner that is returned, often the default banner (see the default for Linux below). Often an ftp or web server will also answer with a banner or header that gives out OS or application information. Several tools are available to grab banners or headers (see IDSERVE at www.grc.com).
By running Nmap with enabled "OS detection," useful information could be released. OS detection will show how securely this sensitive information is maintained. Once the OS or application version has been released, published vulnerability listings can be checked at the vendor sites or other vulnerability listings on the Internet.
Configuration Benchmarking Tools
The Center for Internet Security (CIS, see www.cissecurity.org ) offers tools for benchmarking the security of various operating systems against templates to assess each host's compliance with specific security levels. CIS provides benchmarking tools and various templates for Windows 2000, Windows NT, Linux, HP-UX, Solaris and Cisco routers. They provide templates for predetermined security levels for Windows NT or 2000 Level-1 (minimum consensus), Windows 2000 Level-2, Windows 2000 professional consensus baseline security settings, Linux Level-1, HP-UX Level-1, Cisco Routers Level-2 and Level-1.
These templates are created by the CIS with input from the IT security community including members of the Center for Internet Security (CIS), the SANS Institute, and the following agencies of the United States federal government: the National Security Agency (NSA), the Defense Information Systems Agency (DISA), the National Institute of Standards and Technology (NIST), and the General Services Agency (GSA).
The CIS benchmark tools are easy to use and allow you to run a benchmark of your devices against the templates to determine how well they measure up. It provides a list of tests that were passed and failed, fixes that need to be applied, configuration issues, and a summary report including an overall score on a scale of 1 to 10. These tools offer a quick and easy way to test your devices against known operating system problems and vulnerabilities as determined by respected professionals in the security community.
The CIS benchmark tools can easily evaluate the protection of security functions. The benchmark checks the OS features against your predetermined template to make sure that it conforms to the expected security functionality of the OS. Additionally, the CIS benchmark tool can be used as part of your vulnerability assessment since it assesses your code levels as well as other potential vulnerabilities. The CIS tool also helps evaluate security management and configuration management by pointing out security issues in the definitions of OS users and groups, incorrect configuration and mismatches. Simply running the tool against a template which conforms to your system security policy quickly and easily points out gaps in security functionality and vulnerabilities, determines overall severity, and lists the categories where corrective action is required to bring the system back within expected security policy.
Remote Vulnerability Assessment Scanners
Nessus is part of the current generation of security scanners. It is actually a framework that can be used to scan for vulnerabilities at several layers of the OSI model. It allows different component tools to share and correlate data in scanning for vulnerabilities.
Nessus is built as an easy-to-use, robust vulnerability scanner. Nessus is a GPL license client-server application (available at www.nessus.org) that creates a security tool framework. It builds on previous tools, integrates them, and allows for extension in the future. The Nessus server runs on UNIX systems (Linux, Solaris, BSD, and more) and there are clients for both UNIX and Win32 platforms. The server runs all scans and tests while the clients configure and control the server.
Nessus is a multi-user system with access control so multiple users within an enterprise can share a server and have different permissions regarding scanning and testing. Nessus includes a special scripting engine and language (NASL) that anyone can use to write a security check, and allows security checks to be written in C. All security checks are based on plugins and anyone can write and share plugins that they write for a specific vulnerability.
In Nessus one plugin can use information that another has obtained, so Nessus allows the development of security checks that build on others that already exist. Since it is plugin based, the framework can be continually extended and evolve as the security community becomes aware of new vulnerabilities.
As an example, consider that Nessus comes with built-in support for use of the Nmap tool as a port scanner. It is possible to write a plugin that uses the information gleaned from Nmap and other plugins. So if you wrote a plugin that scans for FTP server vulnerabilities, it can first check to see if Nmap found an FTP server running on port 21 on a host and then scan for the vulnerability only if Nmap found an FTP server there.
This type of efficiency saves time, bandwidth, and effort and helps to make Nessus an incredibly powerful tool. The program implements additional functionality through its knowledge base features, where the results of previous scans can be saved and aged and reused while still considered valid.
Figure 2 Nessus KB
We used the stable release Nessus 1.2.5 on Redhat Linux 7.3 for this article. The package comes with an extensive set of plugins (a complete list can be found at cgi.nessus.org/plugins/) categorized into groups. You can easily enable or disable entire groups of plugins to be tested or even select/deselect individual vulnerability tests. Each of these in turn have many individual vulnerability tests which can be selected for use during scans if you want to get down to a granular level. One enterprise-class feature of Nessus is an automated update script that downloads all of the latest vulnerabilities from the Nessus site on the Internet, analogous to virus scanning programs' automated virus signature updates.
The Nessus server runs the scan as specified and produces a report that you can view or save in html, XML, or NBE and various other formats. The report that is produced is very detailed and includes good descriptions of vulnerabilities as well as instructions on how to correct them.
Figure 3 Nessus plugins
Overall, Nessus is the most comprehensive tool illustrated here. Considering the price of competing security scanners the fact that Nessus is available for free is almost unbelievable. While it is definitely complex enough for advanced security professionals, it is easy enough for basic to intermediate network professionals to be able to use it on a regular basis to help ensure that their networks and applications are protected from unauthorized access, loss of data, and loss of availability. Combined with the automated update feature for downloading new plugins to test for vulnerabilities, Nessus is an excellent choice for any security-minded enterprise.
Nessus can be very helpful for the evaluation and assessment of assurance within the Common Criteria framework. Since it includes Nmap functionality it can be used for everything that Nmap can be used for in terms of protection of security functions, identification and authentication, trusted path/channel, and resource utilization. However, Nessus is much more than just a port scanner, and the currently downloadable version is helpful in many more aspects of the Common Criteria especially with regard to vulnerability assessment.
Nessus assesses known vulnerabilities on many levels, everything from the OS to ftp to CGI abuses to incorrect or default configuration in the OS. Using the myriad of tests is an easy and extensive way to assess vulnerabilities. Nessus can be incorporated into your security audit to test how well your security audit logs and alerting performs in the face of various Nessus scans. This can help identify shortcomings in your current security audit functions and point out where to focus improvements.
Nessus has denial-of-service (DoS) scanning features that can help evaluate the resource utilization class as well as DoS vulnerabilities. It also scans for common default and incorrect configurations that will allow evaluation of the security management requirements. Nessus can also be used to evaluate a system for the user data protection and privacy functions as well as security management. The tool allows you to enter in userid/password combinations for http, ftp and other applications which the scanner will then use while scanning hosts and will point out further vulnerabilities from the perspective of a valid user (e.g. writeable directories).
Nessus also allows for brute force attacks using login and password files. This will allow further evaluation of the identification and authentication and security audit functions by measuring the target system's response to a brute force attack.
Since Nessus is open and anyone can extend its features by writing a plugin in either NASL or C, it can ultimately be used for evaluation and assessment of assurance levels of any class defined within the Common Criteria for information technology security.
Fredric Greene, CISSP, CPA, MCSE, CCNA is the president of Greene Security & Audit (www.greenesecurity.com). Richard Rabinowitz is president of BitSavvy LLC, an IT Security and Infrastructure consulting firm (www.bitsavvy.com)